This variant of a phishing attack uses Unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.
The xn-- prefix is what is known as an ASCII compatible encoding prefix. It lets the browser know that the domain uses punycode encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
Source: Wordfence (Check "Additional Information").
Chrome 57.0.2987 and Firefox 52.0.2 vulnerabilities not solved yet.
<Proxy> condition=UnicodeBlocking DENY define condition UnicodeBlocking url.host.substring=xn-- end